b'February 1, 2001\nAudit Report No. 01-004\n\n\nAudit of the Contractor Background\nInvestigation Process\n\x0cFederal Deposit Insurance Corporation\nWashington, D.C. 20434                                                            Office of Inspector General\n\n\n\n\n   DATE:            February 1, 2001\n\n   TO:              Arleas Upton Kea\n                    Director\n                    Division of Administration\n\n\n\n   FROM:            David H. Loewenstein\n                    Assistant Inspector General\n\n\n   SUBJECT:         Audit of the Contractor Background Investigation Process\n                    (Audit Report No. 01-004)\n\n\n   The Office of Inspector General (OIG) has completed an audit of the FDIC\'s contractor\n   background investigation process. Previous contractor-related audits indicated that the Division\n   of Administration (DOA) was not always conducting contractor background investigations as\n   required by the Acquisition Policy Manual (APM). In response to these reports, DOA took\n   corrective action to strengthen controls for requesting, tracking, and documenting the contractor\n   background investigation process. This audit assessed the progress that DOA has made in\n   controlling the contractor background investigation process and in complying with applicable\n   laws and regulations.\n\n   BACKGROUND\n\n   Rules and regulations of the FDIC regarding contractor conflicts of interest and minimum\n   standards are stated in 12 CFR Part 366 that became effective on April 10, 1996, pursuant to the\n   Federal Deposit Insurance Act. The Congress, mindful of the abuses that had taken place in the\n   awarding of contracts by the Department of Housing and Urban Development, imposed\n   standards of conduct for the Resolution Trust Corporation\'s (RTC) independent contractors that\n   were later adopted by the FDIC when the FDIC assumed responsibility for RTC-related matters\n   upon the RTC\'s sunset in December 1995. These regulations apply to contractors that submit\n   offers to provide services to the FDIC or that enter into contracts for services with the FDIC and\n   subcontractors that enter into contracts to perform services under a proposed or existing contract\n   with the FDIC. Disqualifying conditions under this regulation are that:\n\n   (1) No person shall perform services under an FDIC contract and no contractor shall enter into\n   any contract with the FDIC if that person or contractor:\n\x0c       (a) Has been convicted of any felony;\n\n       (b) Has been removed from, or prohibited from participating in the affairs of, any insured\n       depository institution pursuant to any final enforcement action by the Office of the\n       Comptroller of the Currency, the Office of Thrift Supervision, the Board of Governors of\n       the Federal Reserve System or the FDIC or their successors;\n\n       (c) Has demonstrated a pattern or practice of defalcation regarding obligations; or\n\n       (d) Has caused a substantial loss to any federal deposit insurance funds.\n\nThe policies for ensuring that contractors meet minimum standards of competence, experience,\nintegrity, and fitness as stated in 12 CFR Part 366 are included in the APM issued by DOA.\nAccording to the APM, the Contracting Officer is responsible for requesting a background\ninvestigation on the contractor, subcontractors, management officials, and key personnel for\n(1) contracts for services of $100,000 or greater; (2) awards where the contractor\'s employees\nwill be required to work on-site at an FDIC office regardless of dollar amount; and (3) any other\naward at the discretion of the Contracting Officer. Key personnel are defined as a contractor\'s\nemployees designated to perform essential work under the contract. Contracts for goods do not\nrequire background investigations.\n\nThe background investigation process is initiated when the contract is awarded and the\nContracting Officer obtains background questionnaires that include certifications regarding\ndisqualifying conditions from key personnel designated in the contract. This information is\nprovided to the Chief, Employee/Contractor Security Unit (ECSU) who is then responsible for\nconducting the background investigation. The background investigation consists of various\ndatabase checks on the individual or company including searches of Dun & Bradstreet (D&B),\nCredit Bureaus, Lexis/Nexis, General Services Administration (GSA) Debarred Lists, National\nAssociation of Securities Dealers Activities Query, FDIC and other bank regulatory databases,\nand court records from the last known address of the individual.\n\nIn addition to the background investigations conducted on key personnel, any contractor issued a\nbadge for access to FDIC premises completes a Background Investigation Questionnaire to\ncertify whether they have any disqualifying conditions and is fingerprinted. The fingerprints are\nsubmitted to the Federal Bureau of Investigation (FBI) to determine whether the contract\nemployee has a history of felony convictions. Additionally, the APM was amended as of March\n2000 to also require fingerprinting of any contract personnel who obtain a log-on identification\nfor access to the FDIC network. Table 1 shows the type of background investigation a contractor\nshould be subjected to based on their designation as "key personnel" and access to FDIC\npremises or systems.\n\n\n\n\n                                                2\n\x0cTable 1: Type of Background Investigation Conducted Based on Designation of\nContractor Personnel\n                                                 Contract                 Database Inquiry           Fingerprints\n                                                 Employee                 of Credit Bureaus,         Submitted to\n                                                 Submits Self-            D&B, GSA, FDIC,            FBI for\nRole Assigned to Contractor                      Certification on         and Courts of Last         Criminal\nPersonnel                                        Disqualifying            Known Address              Record\n                                                 Conditions                                          History\nKey Personnel Issued FDIC Badge or\nwith Log-On Access                                        Yes                       Yes                    Yes\nKey Personnel Without FDIC Badge\nor Log-On Access                                          Yes                       Yes                    No\nNon-Key Personnel Issued FDIC\nBadge or with Log-On Access                               Yes                       No                     Yes\nNon-Key Personnel Without FDIC\nBadge or Log-On Access                                     No                       No                     No\n\nTo strengthen controls over the background investigation process, the Acquisition Section in\nDOA implemented the Background Investigation Tracking System (BITS) in July 1999. BITS is\na database that tracks background investigations from the date requested until the results are\nreported by ECSU. Until implementation of BITS, ECSU maintained the only tracking system\nfor background investigations, the Fitness and Integrity Tracking System (FITS). An additional\nprocedure was also implemented in October 1999 for a biweekly reconciliation to be conducted\nbetween the Purchase Order System (POS) and BITS. These procedures were implemented to\ntrack background investigation requests made on contracts in excess of $100,000 and to ensure\nbackground investigations were requested as required by the APM.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe audit objective was to evaluate the process for requesting, tracking, and documenting contractor\nbackground investigations and to assess whether the process complied with applicable laws and\nregulations. The audit scope included contracts awarded in excess of $100,000 from January 1,\n1999 to December 31, 1999. The audit methodology included:\n\n\xe2\x80\xa2   Identifying contracts awarded during 1999 and selecting a sample of 40 contracts in excess of\n    $100,000. We selected our sample to include contracts from each month and from each\n    FDIC division in Washington and the Dallas Regional Office.1\n1\n Our sample included Legal Division Contracts for services other than retention of outside counsel because the Legal\nDivision is not subject to the APM for those types of engagements.\n                                                           3\n\x0c\xe2\x80\xa2   Reviewing ACSB contract files for each contract selected in our sample for evidence of\n    background requests as required by the APM.\n\n\xe2\x80\xa2   Reviewing contractor invoices submitted to identify contractor personnel who were\n    submitting billings but who were not listed as key personnel.\n\n\xe2\x80\xa2   Comparing information in the contract files with BITS and FITS.\n\n\xe2\x80\xa2   Reviewing applicable laws, regulations, and FDIC procedures on the requirements for\n    background investigations.\n\n\xe2\x80\xa2   Reviewing background investigation files in the ECSU related to our audit sample.\n\n\xe2\x80\xa2   Interviewing DOA contracting and security officials responsible for the background\n    investigation process to identify procedures and practices implemented during the audit\n    scope.\n\n\xe2\x80\xa2   Obtaining information from the FBI regarding the National Criminal Information Center\n    system and processes related to obtaining criminal record histories.\n\n\xe2\x80\xa2   Reviewing sign-in logs from January 1, 2000 to April 30, 2000 in one of the FDIC\'s\n    headquarters buildings for recurring entries exceeding a 2-week timeframe.\n\n\xe2\x80\xa2   Reviewing prior audit reports containing issues related to contractor background\n    investigations.\n\nThe audit was conducted in accordance with generally accepted government auditing standards.\nAudit fieldwork was conducted from January 2000 to August 2000 at DOA offices in Washington,\nD.C., and the Dallas Regional Office.\n\nRESULTS OF AUDIT\n\nCurrent contractor background investigation policies do not consistently cover all contractor\npersonnel. Only contractor personnel designated as "key personnel" or those who obtain a\ncontractor badge to enter FDIC premises self-certify by completing background questionnaires\nand undergo any form of background investigation. Therefore, many contractor personnel are\nable to enter FDIC premises and work on FDIC contracts without either receiving any form of\nbackground investigation or self-certifying that they do not possess disqualifying conditions. At\na minimum, FDIC should ensure that all contractor personnel self-certify that they have no\ndisqualifying conditions.\n\nIn July 1999, the Acquisition Section in DOA improved the process for requesting, tracking and\ndocumenting contractor background investigations by implementing the BITS. In October 1999,\nthe process was further strengthened when steps were added to compare background\n                                                4\n\x0cinvestigation requests entered into BITS with the Purchase Order System to verify that\nbackground investigations were requested for all contracts as specified in the APM. Prior to\nthese improvements, the Acquisition Section did not have controls in place to verify that contract\nspecialists ordered background investigations on contractors as required by the APM. As a\nresult, contracts were awarded without contractor personnel receiving the background\ninvestigations required by the APM. While the process has been improved, further actions are\nneeded to improve the contractor background investigation program. Specifically,\n\n\xe2\x80\xa2   DOA should take steps to verify that contractor personnel working for the FDIC self-certify\n    that they have no disqualifying conditions.\n\n\xe2\x80\xa2   The need for background investigations of contractor personnel should be based on an\n    evaluation of the roles of contractor personnel rather than on their designation as "key\n    personnel."\n\n\xe2\x80\xa2   Contract Specialists at the Regional Offices should be required to submit background\n    investigation requests through the Contractor Relations Group (CRG) in Headquarters.\n\n\xe2\x80\xa2   Procedures should require that the ECSU receive and review the POS report to verify that\n    background investigations are requested.\n\n\xe2\x80\xa2   Fingerprinting of contractor employees with log-on access needs to be implemented.\n\nCURRENT PRACTICES DO NOT CONSISTENTLY COVER ALL CONTRACTOR\nPERSONNEL\n\nUnder the Federal Deposit Insurance Act and 12 CFR 366, no contractor employee who has a\ndisqualifying condition should work for the FDIC. The contractor must agree that no person will\nbe employed, directly or indirectly, under any contract with the FDIC unless they meet the\nminimum standards set forth in the regulation. The purpose of the FDIC background\ninvestigation program is to further ensure that contractors do not possess disqualifying\nconditions. However, under the current contractor background investigation policy, only\ncontractor personnel designated as "key personnel" undergo a background investigation that\ncovers all disqualifying conditions. This policy relies on the contractor to verify that non-key\npersonnel do not have disqualifying conditions unless the individual designated as "non-key" is\nfingerprinted when obtaining a badge to enter FDIC premises or log-on access to FDIC systems.\nAs a result of fingerprinting, the FDIC is able to verify that contractor personnel do not have a\nfelony conviction; however, other disqualifying conditions are not verified. The current\nbackground investigation program could be improved by using a basis other than "key\npersonnel" as the determining factor in when to conduct a background investigation.\n\n\n\n\n                                                 5\n\x0c"Key Personnel" Is Not an Effective Designation for Determining Background\nInvestigations\n\nAccording to the APM, the contracting officer is responsible for requesting a background\ninvestigation on the contractor, subcontractors, management officials, and key personnel for\n(1) contracts for services of $100,000 or greater, (2) awards where the contractor\'s employees\nwill be required to work on-site at an FDIC office regardless of dollar amount, and (3) any other\naward at the discretion of the Contracting Officer.\n\nDuring our review of 40 contract files, we identified 8 contracts for which background\ninvestigations were requested per the APM requirement pertaining to "key personnel." However,\nin reviewing the contractors\' billings for those 8 contracts, we identified 55 individuals that billed\nhours but were not designated as key personnel. As a result, these 55 individuals were not\nrequired to submit certifications as to whether they had any disqualifying conditions and did not\nundergo background investigations. The definition of key personnel as stated in the APM is "a\ncontractor\'s employees designated to perform essential work under the contract." Based on\ndiscussions with DOA contract specialists and management officials, the term "key personnel" is\nprimarily used in determining contract award. These are often managers and senior staff whose\nqualifications are critical to the contract but who may not actually perform the bulk of the work.\nWhile qualifications of key personnel may be important in awarding a contract to a particular\nfirm, the designation of key personnel is not an effective method of determining whether a\nbackground investigation should be conducted. For instance, some individuals may perform\nsubstantial work on the contract but are not designated as being "key personnel." Also, some\nindividuals may be designated as "key personnel" but do not perform a significant amount of\nwork related to the contract. As a result of using "key personnel" as the basis for when to\nconduct background database inquiries, DOA may not be targeting the most appropriate\ncontractor personnel for verification of all disqualifying conditions.\n\nSome Contractor Personnel Enter FDIC Premises Without Being Fingerprinted or\nSelf-Certifying That They Have No Disqualifying Conditions\n\nBefore contractor personnel obtain a badge to enter FDIC premises, they complete a Background\nQuestionnaire certifying whether they have disqualifying conditions and are fingerprinted. Their\nfingerprints are sent to the FBI, and a criminal record history is obtained verifying that they have\nnot been convicted of any felony. However, contractors who enter FDIC premises on an\nintermittent basis or anticipate working on FDIC premises for less than a 2-week period are not\nrequired to obtain a badge and are not fingerprinted. We reviewed sign-in logs for the FDIC\'s\n801 17th Street, N.W. Washington, D.C. location over a consecutive 4-month period and noted\nthat over 800 contract personnel had signed in because they did not have a badge. Many of these\ncontractors signed in multiple times over the 4-month period. Such contractors included office\nmovers, locksmiths, and maintenance personnel, many of whom entered after normal working\nhours when the building was empty or when only a few FDIC employees might have been in the\nbuilding. Unless these individuals were designated as key personnel on the contract, they never\ncertified regarding disqualifying conditions and were not considered for or subjects of a\nbackground investigation or criminal record history.\n\n                                                  6\n\x0cRecommendations\n\nThe Associate Director, ACSB, DOA should:\n\n(1) implement a program to verify that contractors are taking steps to ensure that management\nofficials, employees, and subcontractors working under a contract with the FDIC meet minimum\nstandards as stated in 12 CFR 366.\n\n(2) base the need for conducting database background investigations on the anticipated work of\nthe contract employee rather than on their designation as "key personnel."\n\nCONTROLS SHOULD INCLUDE REGIONAL OFFICES AND ECSU\n\nProcedures implemented during 1999 by the Acquisition Section of ACSB improved controls\nover the contractor background investigation process. However, these procedures did not\ninclude contracting functions in the FDIC Regional Offices or include the ECSU in the control\nprocess. As a result, there is no tracking system for contractor background investigations on\ncontracts awarded from the Regional Offices. Also, the ECSU has responsibility for conducting\nbackground investigations, but procedures do not facilitate that section\'s ability to ensure they\nare requested as required by the APM. In addition, while the APM was amended effective\nMarch 31, 2000 to require fingerprinting of all contractors with log-on access, as of July 31,\n2000, the ECSU had not received any such requests.\n\nOn July 19, 1999, the Acquisition Section instituted new procedures to monitor contractor\nbackground investigation requests and created BITS. Under these new procedures, Contract\nSpecialists in headquarters were instructed to forward contractor background investigation\nrequest packages through the CRG for review. The CRG reviews the request package for\ncompleteness and enters data from the request in BITS in order to track the progress of the\nbackground investigation. In addition, to verify that background investigation requests were\nmade for all headquarters contracts over $100,000, the CRG added a procedure to obtain a bi-\nweekly report from the POS that lists all contracts awarded in excess of $100,000. This report is\ncompared to BITS to ensure that a background investigation was requested for each contractor.\n\nWe reviewed our sample of 40 contracts in excess of $100,000 (31 from headquarters and 9 from\nthe Dallas Regional Office) awarded during 1999 to determine compliance with the APM for\ncontractor background investigations. Our review found non-compliance on 5 of 12\nheadquarters contracts awarded prior to July 19, 1999, and non-compliance on 1 of 19 contracts\nawarded after July 19, 1999. The one exception, after the new procedures were implemented\noccurred because the contract specialist had inadvertently coded the contract as being for the\npurchase of goods. The error was later corrected when the miscoding was identified in the POS.\nWe also found non-compliance on 2 of 9 contracts awarded in the Dallas Regional Office.\n\nBased on discussions with contract specialists, the exceptions we found during our review\noccurred due to interpretations by the contract specialist as to the need for the background\n\n                                                 7\n\x0cinvestigation and under what circumstances a background investigation is required. The\nprocedures implemented by the Acquisition Section during 1999 provided needed controls to\nensure that the background investigation process is completed in headquarters as required by the\nAPM. Had they been in effect prior to July 1999, and in the Regional Offices, it is likely that\ncompliance with APM requirements would have been improved. Including the ECSU in the\ncontrol process would also strengthen current procedures because the ECSU is a separate\nfunction from the Acquisition Section and is responsible for the contractor background\ninvestigation program. It would benefit DOA to formally assign responsibility to ECSU for\nreviewing the POS and determine whether required background investigations are being\nrequested.\n\nRecommendations\n\nThe Associate Director, ACSB, DOA, should:\n\n(3) instruct that ACSB functions at the Regional Offices submit contractor background\ninvestigation requests through the CRG to be reviewed and tracked by BITS.\n\n(4) instruct that the Chief, ECSU receive and review a bi-weekly copy of the POS report and\ncontractor sign-in logs to verify that background investigations are requested as required by the\nAPM.\n\n(5) ensure that fingerprinting of contractor employees with log-on access to FDIC computer\nsystems is implemented in a timely manner.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn December 21, 2000, the Director, DOA, provided a written response to a draft of this report\naddressing each of the report\'s recommendations (Appendix I). On January 17, 2001, the\nAssistant Director, Acquisition Section, Division of Administration provided more specific\ninformation clarifying DOA\'s earlier response. With respect to recommendation 1, the Assistant\nDirector added that in conjunction with DOA\'s ongoing initiatives to increase contractor\noversight and ensure compliance by contractors, DOA will continue to develop and implement\npractical alternatives for further verifying that contractors are in compliance with the applicable\nlaws and regulations. Regarding recommendation 2, the Assistant Director indicated that in\naddition to key personnel, the FDIC now requires self certifications and fingerprinting of all\ncontractor personnel working on-site and contractor personnel working off-site with access to\nFDIC systems.\n\nThe Corporation\'s responses provided us with the requisite elements of a management decision\nfor all recommendations as shown in Appendix II.\n\n\n\n\n                                                 8\n\x0c                                                                             APPENDIX I\n\n\n\n\nThe Division of Administration (DOA) has completed its review of the Office of Inspector General\n(OIG) Draft Report entitled \xe2\x80\x9cAudit of the Contractor Background Investigation Process.\xe2\x80\x9d The OIG\nidentified two audit findings and made five recommendations.\n\nWe generally agreed with the OIG conclusions. Our analysis and comments address all of the audit\nfindings presented in the report. Recommendation 3 will require corrective action; and this response\nincludes our expected completion date and the documentation that will confirm completion of the\nactions taken. Based on this Management Response, this serves as a statement of certification\nthat the Acquisition and Corporate Services Branch (ACSB) has completed necessary\ncorrective action for recommendation numbers 1, 2, 4, and 5.\n\nMANAGEMENT DECISION\n\nFinding #1: Current practices do not consistently cover all contractor personnel.\n\nRecommendation #1: The Associate Director, ACSB, DOA should implement a program to verify\nthat contractors are taking steps to ensure that management officials, employees and subcontractors\nworking under a contract with the FDIC meet minimum standards as stated in 12 CFR 366.\n\nManagement Response: We agree and believe that the processes in place address 12 CFR 366. The\nstatute and regulation requires that the contractor agree that no person will be employed, directly or\nindirectly, under any contract with the FDIC unless they meet the minimum standards set forth in the\nregulation. The FDIC\'s Eligibility Representations and Certifications implement the statutory intent\nby requiring that the contractors certify that they do not use ineligible persons on FDIC contracts.\nThe Acquisition Policy Manual further provides that the FDIC Eligibility Representations and\nCertifications are required on all service contracts of $25,000 and above. The APM addresses the\nminimal risk factor in service contracts below $25,000 by requiring that the FDIC Contractor\nApplication be obtained from any contractor interested in doing business with the FDIC. The\napplication requires the self certification by the contractor on the mandatory disqualifying conditions\nset forth in 12 CFR 366. Further, the FDIC Background Investigation Process requires any\ncontractor employee who works on a FDIC site or who has access to our FDIC systems to be\nfingerprinted for an FBI criminal records check. Also, the application for a FDIC badge requires the\nemployee to self certify to the mandatory disqualifying conditions set forth in 12 CFR 366 and\nlikewise be fingerprinted.\n\x0cThis response serves as a statement of certification that ACSB has completed the necessary\ncorrective action for recommendation #1.\n\nRecommendation #2: The Associate Director, ACSB, DOA should base the need for conducting\ndatabase background investigations on the anticipated work of the contract employee rather than on\ntheir designation as \xe2\x80\x9ckey personnel.\xe2\x80\x9d\n\nManagement Response: We agree with the recommendation. DOA ACSB recently implemented\nactions that are consistent with the OIG\xe2\x80\x99s recommendation. As discussed above the FDIC now\nrequires self certifications and fingerprinting of all contractor personnel working on-site and all\ncontractor personnel working offsite who have access to FDIC systems. All individuals required to\nbe fingerprinted to undergo an FBI criminal records check.\n\nFinding #2: Controls should include Regional Offices and Employee/Contractor Security Unit\n(ECSU).\n\nRecommendation #3: The Associate Director, ACSB, DOA should instruct that ACSB functions at\nthe Regional Offices submit contractor background investigation requests through the CRG to be\nreviewed and tracked in BITS.\n\nManagement Response: We agree with the recommendation. DOA ACSB will modify the\nAcquisition Policy Manual to reflect the standard operating procedure for Headquarters Operations\nand the Regional Offices. This will ensure timely completion of the background investigation\nprocess. The APM will be changed as set forth herein.\n\n       6.E.2.e. (3) If background investigations are required, then the Contracting Officer shall\n       provide the completed background forms for the successful contractor for review prior to\n       award, as follows:\n\n               (a) For Headquarters Operations, background investigation requests shall be routed\n               through the Policy and Compliance Unit before going to the Employee/Contractor\n               Security Unit.\n\n               (b) For Regional Offices, background investigation requests shall be routed to the\n               Policy and Compliance Unit and the Employee/Contractor Security Unit\n               simultaneously for processing.\n\n               The investigations will generally be completed within ten (10) calendar days.\n               However, if an investigation takes longer, the award may be made contingent upon\n               the outcome of the investigation as specified in APM, 6.E.9.d, Award Prior to\n               Completion of Reviews and Verifications.\n\nThe APM revisions will confirm our completion of corrective action. We estimate completion by\nMarch 31, 2001.\n\x0cRecommendation #4: The Associate Director, ACSB, DOA should instruct that the Chief, ECSU\nreceive and review a bi-weekly copy of the POS report and contractor sign-in logs to verify that\nbackground investigations are requested as required by the APM.\n\nManagement Response: We agree in part with the OIG recommendation. The Purchase Order\nSystem (POS) report is received and reviewed by the ECSU. If background investigations have not\nbeen requested on contractors reflected in the report, the Contractor Relations Group is immediately\nnotified via e-mail. We do not agree with the OIG\xe2\x80\x99s suggestion that the Chief, ECSU review\ncontractor sign-in logs. These 4ogs are already being reviewed by the Security Operations Center at\nthe end of each shift. The sign-in logs are examined to identify any pattern of contractors repeatedly\nsigning in in lieu of being badged/fingerprinted. This information is then provided to the Chief,\nPhysical Security Unit, for follow-up and action. That action consists of contacting the FDIC\noversight manager to arrange for fingerprinting and badging of those contractors identified.1\n\nRecommendation #5: The Associate Director, ACSB, DOA should ensure that fingerprinting of\ncontractor employees with log-on access to FDIC computer systems is implemented in a timely\nmanner.\n\nManagement Response: We agree with the recommendation. DIRM notifies the ECSU when an\noff-site contractor is given access. ECSU enters the information into FITS and promptly notifies the\ncontractor to report for fingerprinting.\n\nIf you have any questions regarding this response, you may contact Andrew O. Nickle, Audit\nLiaison for the Division of Administration, at (202) 942-3190.\n\ncc: Mike Rubino\nDeborah Reilly\nPatricia McClintock Harry Baker\nRichard Johnson Bill Kmetz\nLinda Phillips\nAndrew Nickle\nKenneth T. Jones\n\n\n\n\n1\n    Management\xe2\x80\x99s response reflects an alternative procedure that is acceptable to OIG.\n\x0c                                                                                                                                  APPENDIX II\n                                       MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its\nsemiannual reports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several\nconditions are necessary. First, the response must describe for each recommendation\n\n   ! the specific corrective actions already taken, if applicable;\n   ! corrective actions to be taken together with the expected completion dates for their implementation; and\n   ! documentation that will confirm completion of corrective actions.\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for\nany disagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation\nconfirming completion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The\ninformation for management decisions is based on management\xe2\x80\x99s written responses to our report.\n\n\n\n\n                                                                    1\n\x0c                                                                                    Documentation                  Management\n Rec.                                                               Expected       That Will Confirm    Monetary   Decision: Yes\nNumber     Corrective Action: Taken or Planned/Status            Completion Date     Final Action       Benefits      or No\n         The Director, DOA, agreed with the\n         recommendation and stated that the Eligibility and\n         Certifications form requires contractors to certify\n                                                                                    Documentation of\n         that they do not use ineligible persons on FDIC\n                                                                                     procedures for\n         contracts. Further, DOA will continue to develop\n  1                                                              March 31, 2001     further verifying     N/A          Yes\n         and implement practical alternatives for further\n                                                                                      contractors\'\n         verifying that contractors are in compliance with 12\n                                                                                      compliance\n         CFR 366.\n\n\n         The Director, DOA, agreed with the\n         recommendation and stated that DOA recently\n         implemented actions that now require, in addition to\n         key personnel, self certifications and fingerprinting                        Management\n  2                                                                Completed                              N/A          Yes\n         of all contractor personnel working on-site and all                           Response\n         contractor personnel working offsite who have\n         access to FDIC systems.\n\n         The Director, DOA, agreed with the\n         recommendation and stated that DOA ACSB will\n  3      modify the Acquisition Policy Manual to reflect the     March 31, 2001    Amendment to APM       N/A          Yes\n         standard operating procedure for Headquarters and\n         the Regional Offices.\n         The Director, DOA, agreed in part with the\n         recommendation and now the POS is received and\n                                                                                      Management\n  4      reviewed by the Employee/Contractor Security Unit         Completed                              N/A          Yes\n                                                                                       Response\n         (ECSU). Sign-in logs will be reviewed by the Chief\n         Physical Security Unit rather than the Chief, ECSU.\n         The Director, DOA, agreed with the\n         recommendation and stated that DIRM notifies the\n         ECSU when an off-site contractor is given access.                            Management\n  5                                                                Completed                              N/A          Yes\n         ECSU enters the information into FITS and                                     Response\n         promptly notifies the contractor to report for\n         fingerprinting.\n\n\n                                                                       2\n\x0c'